Link to home
Start Free TrialLog in
Avatar of antstrength
antstrength

asked on

domain login script

I am currently publishing an application via terminal services.  My current setup has the user's local account specify to "start the following program at logon", which is really just a small batch file that will open up the correct program for them.  This works perfectly for local accounts, but is not scalable.

I am now adding a domain controller and would like to replicate this setup for domain users.  I greated a logical unit and group for the terminal services users that will use my application.  I then setup a group a group policy with the login batch file in it.  For some reason, however, the script is never executed at login.

How can i do this, and, furthermore, i can i replicate my setup for local users with the domain?

Dave
Avatar of Debsyl99
Debsyl99

Hi
There are numerous ways you should be able to achieve this.Have a look at these:
HOW TO: Automatically Run Programs When Users Log On to Windows 2000 Terminal Services
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q321707
How To Assign a Logon Script to a Profile for a Local User in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;258286

With group policy you need to make sure the relevant users or groups have read and apply permissions for that gpo. You also cannot apply group policy to a group by moving that group to an OU. The users in that group need to be in the OU. You can however filter the application of group policy by using security groups, details contained within this link,
4956 » How do I optimize Group Policy to increase logon performance
http://www.jsiinc.com/SUBJ/tip4900/rh4956.htm#5
Also here's an extremely useful tool for managing and enumerating the results of application of group policy. You'll need either Windows 2003 Server or Windows XP Pro Sp1 client with .net framework installed to run it. It will work within a windows 2000 server domain although is slightly more limited,
Introducing the Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/gpmcintro.mspx

Hope that is a helpful start,

Deb :))
Avatar of antstrength

ASKER

Thank you Deb for your helpful links on group policy.  I just spent some hours immersing myself in group policy and have had limited success accomplishing my ultimate goal.  Allow me to clarify it.

At the "active directory users and computers" snap-in, i have specified for each user to "start the following program at login".  The program is a small batch file which will open up the program that I am publishing.  When the program is closed, the user is automatically logged out (this is required.)

If a user logs into the terminal server directly, this works perfectly.  If they log into another machine on the domain, the program does not start.  How can i accomplish this?

Dave
Hi
You could assign this as a login script - so it runs when a user logs on to the domain. Short way to do it:
1) Create a new Organisational Unit in ADUC,
2) Move the users into this new OU
3) Right-click the OU, click properties, and then go to the group policy tab. Click New, to link a new gpo to the the unit, and name it something appropriate.
4) Edit the group policy object - Expand User Configuration, Windows Settings and you'll see scripts (logon/logoff).
5)Double-click logon and it will bring up a new dialog box. Click show files and it will open up the relevant logon script folder for that policy. Paste you script into this folder. It needs to be in here in order to run. Close the folder, then on the scripts dialog box click add, browse and select your script. Then click open, and ok to attach that script as a logon script to that OU.
6) Click apply and then close, so that you come back to the general group policy dialog for that OU (options are new,add,edit,options, delete, properties).
7) Click on properties for that GPO - then click on security. Ensure that the users in this OU have both read and apply group policy permissions on that GPO. You can do this using a security group that the users are a member of.
8) Close, then run the following command from a command prompt -
secedit /refreshpolicy user_policy
This will allow the policy to be replicated. Then test the script by logging in as one of your target users,
How to assign scripts in Windows 2000
http://support.microsoft.com/?id=322241

Bear in mind that this policy will apply no matter where these users login, unless you specify policy otherwise,

Hope that helps,

Deb :))
Dave,

Adding to what Deb has mentioned, I'm assuming you are requiring users to ONLY be able to use this particular software from their desktop and not be able to run anything else.  Sort of like dumb terminal.  If that is the case, you might want to consider investing in TS Dumb Terminals.  They run for about $100 which is much cheaper than a full PC.

If purchasing new hardware is not an option for you, then consider locking down the PC to a minimum using Group Policy.  Meaning, you could redirect everyone's desktop to one particular desktop on the network \\server\share\desktop, My documents to \\server\share\mydocs, etc.  Also, remove the Run command and set the Group Policy to "Only Allow running the following programs" and add your programs in there.  That will make the PC pointing to the read only desktop which would have an icon for your batchfile to start the application.  That application would be on the list of allowed programs.... you get the point.

If that route sounds applicable to your need and you would like help with setting up the GPO for that, let me know and I'd be happy to help out.

JM
I have already locked down the desktop very much so.  Thank you for your suggestion.  This does not address my other problem, though.  I only want the user to see the application, and nothing else.  I also want the user to be logged out when the application closes.  This is how it works if the user is logged on locally to the domain controller, and the "start the following program at login" option is specified.  

If i could just get other machines in the domain to also start the program at login, then problem would be solved.

A possible route i have considered is to write a small vb application that will automatically open correct version of the program (every user has his/her own copy), and specifying it to startup instead of the windows GUI.  This is much more work, though, then if there were an easy way to duplicate the domain controller's login behavior on the other domain computers.

Dave
Hi

Are you using a terminal services or remote desktop connection only by any chance? It would appear so.  What you are looking for I think requires a bit of manipulation of group policy to achieve in the way that you wish as there is no simple setting in GP to mimic the way that the term services/remote desktop "start following program at logon" facility works (I agree that there should be though). I'll post some links - look for the policy scenario "Highly Managed User" and "TaskStation". I know it references 2003 but it does also apply to 2000. Unfortunately it's not super-simple and will require some testing on your part. Note the GPMC is extremely useful anyway but requires Windows 2003 server or Windows XP SP1 client pc with .net framework installed to run it. It will work on 2000 server domains though and is worth a look as a useful tool for managing group policy if you haven't already come across it.

Introducing the Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/gpmcintro.mspx

But if ALL you need is to start the program at logon check out the policy under:
User configuration-Administrative Templates-System-Custom User Interface
It is possible to add the path to your app here ie %programfiles%\yourfolder\yourapp.exe

Worth a try if all you need is to start this program at logon.

Group Policy Common Scenarios Using GPMC
http://www.microsoft.com/downloads/details.aspx?FamilyID=354b9f45-8aa6-4775-9208-c681a7043292&DisplayLang=en
Implementing Common Desktop Management Scenarios with the Group Policy Management Console
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/csws2003.mspx

You may also look into adding the application to the relevant run keys in the clients registry as another option but lets see how this goes. I do have a vb script that will constantly check for an instance of a running application and log off a user when that app stops but haven't posted it yet as I'm not sure it will help. Let me know if you want it.

Hope that helps a bit!

Deb :))
Ahh, i can see where you guys are getting confused.  I am not using the "start following program at logon" that is present on the CLIENT.  I am setting it in ADUC for each user.  It's under the "environment" tab, i think.

For deployment, i'm actually using the activeX control (formerly known as TSAC).

That vb script sounds like it could be an incredible help.  Ideally, it would start the right copy of the program for each user (I need to have a distinct copy for each user), and would be set as the custom GUI.  Got source?

Dave
ASKER CERTIFIED SOLUTION
Avatar of Debsyl99
Debsyl99

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you for all your help.  I will modify that script to do exactly what i need.  All of the users in question are logging onto my terminal servers via their own unmanaged machines.  What i have done in the past is to create regular, local accounts on each of my terminal servers.  I am now moving the terminal servers to a domain, and that is why i am trying to replicate the process of logging in locally via terminal services with a domain.